GitHub recommends that projects have a dedicated Security Policy file (SECURITY.md).
psutil already has a de facto security policy in the Contribution Guide, but having this information in a dedicated file makes the information easier to find. Not only is SECURITY.md a standard file security researchers look for, but if GitHub detects the file, it automatically adds its contents to the project's Security panel and adds a new "issue type" that directs users to the policy.
I'd therefore suggest moving the Tidelift information from the Contributor Guide to a dedicated file. I'll send a PR with a draft along with this issue.
Disclosure: My name is Pedro and I work with Google and the Open Source Security Foundation (OpenSSF) to improve the supply-chain security of the open-source ecosystem.
Summary
Description
GitHub recommends that projects have a dedicated Security Policy file (SECURITY.md).
psutil already has a de facto security policy in the Contribution Guide, but having this information in a dedicated file makes the information easier to find. Not only is SECURITY.md a standard file security researchers look for, but if GitHub detects the file, it automatically adds its contents to the project's Security panel and adds a new "issue type" that directs users to the policy.
I'd therefore suggest moving the Tidelift information from the Contributor Guide to a dedicated file. I'll send a PR with a draft along with this issue.
Disclosure: My name is Pedro and I work with Google and the Open Source Security Foundation (OpenSSF) to improve the supply-chain security of the open-source ecosystem.